DNS Overview
DNS (Domain Name System)
Role: Manage the "Household Register" of hosts-Host Name: IP address, which is a distributed city Database System
Origin: the earliest host resolution relies on the hosts file and is maintained by the NIC (Network Information Center). Later, the number of hosts became very large and the network became increasingly complex, resulting in DNS servers.
Structure of the DNS System (inverted number structure ):
Domain name registration:
To register a domain name under. com, such as redhat.com, you need to find the domain administrator of. com (usually www. webnic. CC of the international domain name management organization)
To register a domain name under .redhat.com, for example, mydomain.redhat.com, you need to find the administrator of the redhat.com domain.
Terms:
DNS server: host that provides domain name resolution service
DNS client: the host that needs to query the host domain name information. domain names are required for all networked hosts, so any host is a DNS Client. The DNS client needs to know where the DNS server is located, and liinux depends on/etc/resolv. conf.
Forward resolution: the IP address is resolved based on the host name.
Reverse resolution: resolves host names based on IP addresses.
DNS resolution process: recursive resolution is commonly used. If you want to resolve the domain name mail.sohu.com, the host will forward to/etc/reslv. the DNS server specified in conf sends a resolution request. If there is a corresponding cache on it, the request is directly fed back to it. If not, recursive query is performed first to the root (.) request. the DNS server address of COM is returned to the requester, and then the local DNS returns. com DNS sends resolution request ,. com returns the DNS address of sohu.com for the same reason, and then sends a resolution request to the DNS address of .sohu.com locally. The DNS address of sohu.com returns the IP address of mail.sohu.com to the local DNS, the local DNS then returns the corresponding information to the client. This is the process of recursive query. There are some differences in actual application. You can search for related information from the Internet.
install and configure bind
1. download the BIND http://www.isc.org
ftp://ftp.isc.org/isc/bind9/ the BIND file of the latest version can be found in the FTP. Download as needed.
2. compile and install
[root @ happyboy soft] # tar xvzf bind-9.4.0.tar.gz
[root @ happyboy soft] # cd bind-9.4.0
[root @ happyboy bind-9.4.0] #. /configure -- sysconfdir =/etc -- disable-OpenSSL-version-check
(because the test is performed in the as 3 environment, install the new version 9.4.0, prompt "it is recommended that you upgrade to OpenSSL version 0.9.8d/0.9.7l (or greater ). you can disable this warning by specifying: -- disable-OpenSSL-version-check, so each parameter is added.)
[Root @ happyboy bind-9.4.0] # Make
[root @ happyboy bind-9.4.0] # make install
install the Program by default, applications are installed under/usr/local/bin, such as the DNS tuning tool dig, the DNS resolution tool NSLookup; the server program is placed in the/usr/local/sbin directory, and the DNS management tool rndc and named.
[root @ happyboy bind-9.4.0] # manually create the configuration file VI/etc/nameed. conf with the following content:
Options {
Directory "/var/named ";
};
Zone "."{
Type hint;
File "named. ca ";
};
Zone "localhost "{
Type master;
File "named. Local ";
};
Note the file format. There is a semicolon inside and outside the brackets. If the end of a sentence is not ended after the end, there must be a space between the braces and the previous semicolons.
Root server, which is defined in the configuration file named. conf.
Zone "."{
Type hint;
File "named. ca ";
};
Generate the named. Ca file:
# Echo "nameserver 203.196.1.6">/etc/resolv. conf // Add any available DNS server to the local configuration file
# Dig-T ns.>/var/named. ca // query the root domain server and its corresponding IP address and write it to named. ca
[Root @ happyboy named] # More/etc/resolv. conf
Nameserver 127.0.0.1 // After completion, set the local DNS to itself
[Root @ happyboy bind-9.4.0] # vi/var/named/domain.com. Zone
[Root @ happyboy bind-9.4.0] # named
[Root @ happyboy named] # After tail/var/log/messages // starts the service, the following information is displayed in the log file:
Sep 23 21:59:19 happyboy named [22396]: None: 0: open:/etc/rndc. Key: file not found
Sep 23 21:59:19 happyboy named [22396]: couldn't add Command Channel 127.0.0.1 #953: file not found
Sep 23 21:59:19 happyboy named [22396]: Zone localhost/In: loading from master file named. Local failed: file not found
Sep 23 21:59:19 happyboy named [22396]: Running
The final running indicates that the service has been started (only the localhost domain is defined, but the named. Local file is not configured, so "file not find" is reported ")
You can use # host www.sohu.com to verify the information.
[Root @ happyboy named] # ps-Aux | grep named
Root 22396 0.3 2.6 9280 7092? S 21:59 0: 00 named
Root 22405 0.0 0.2 4916 668 pts/1 s grep named
The service is still incomplete. We need to configure an rndc server to control the DNS server.
1. generate an rndc Control File
[Root @ happyboy named] # rmdc-confgen>/etc/rndc. conf // Use this command to generate the rndc configuration file.
[Root @ happyboy named] # Cat-N/etc/rndc. conf // check the file. Only the first few lines work. # Note: use with the following in named. conf,
adjusting the allow list as needed: Add the following content to the named. conf
[root @ happyboy named] # tail + 13/etc/rndc. conf>/etc/named. conf // specify the following content as named as required. conf
note: in this way, the corresponding annotator # Must be canceled before the copy operation starts.
# use with the following in named. conf, adjusting the allow list as needed:
# End of named. conf
do not uncomment ......
you can use a regular expression to implement the VI command (:., $-1 S/^ # \ //) to be the current row (.) to the second to last line ($-1, $ represents the last line), and s represents the content after/^ (#) the space after it should be deleted with the Escape Character \ //
[root @ happyboy etc] # killall-9 named
restart after killing the Process
[root @ happyboy etc] # rndc status // you can view the server status, indicates that the service is successfully started.
logs are also normal
[root @ happyboy root] # More/var/log/messages
Sep 23 22:14:04 happyboy named [22466]: listening on IPv4 interface Lo, 127.0.0.1 #53
Sep 23 22:14:04 happyboy named [22466]: listening on IPv4 interface eth0, 192.168.0.200 #53 // daemon port 53
Sep 23 22:14:04 happyboy named [22466]: command Channel listening on 127.0.0.1 #953 // rndc daemon port
After confirming that the DNS server defined in resolve. conf is itself, the domain name can be resolved normally.
Added the localhost domain, which has been defined at the beginning.
Named. conf
Zone "localhost "{
Type master; // The type is master, corresponding to slave, the database of this domain needs to be maintained by itself
File "named. Local"; // specify the zone file for this domain
};
Create/var/named. Local as follows
@ In SOA localhost. Root (
2004081201; Serial
1 h; refresh
15 m; retry
1 W; expire
1D); TTL
In NS @
In a 127.0.0.1
The first field is generally a domain name or a host name. Here, @ indicates the current local zone name "localhost"
The second field indicates the type in (Internet type)
The third field indicates the record type, which is the server NS, address, or file exchange record. Each zone has a record such as SOA (initial authority), which includes the region (localhost.) for which the zone file is defined.
Is the abbreviation of the administrator root in the region. The complete name should end with a dot. If it does not end with a dot, the suffix of the region will be added, that is, the complete name is root @ localhost ., it also ends with a vertex, but @ is defined as the region.
Root. localhost. It is abbreviated as root. It defines the domain information starting from parentheses (there must be a space between it and the preceding root ).
The following two rows should be complete
Localhost. In NS localhost.
Localhost. In a 127.0.0.1
Because localhost. the same @ can be replaced with it, because these records are all based on the same domain name @, so the above is omitted. In the end, the other attributes of these records are the same as the above pattern, for example, TTL is the same as SOA record.
Test
[Root @ happyboy root] # host localhost
Localhost has address 127.0.0.1
You can resolve the localhost domain defined in named. conf.
[Root @ happyboy root] # Dig localhost // you can also use dig for query. The information is richer than that of host.
The named server has the cache function. The first resolution will be slow, and the future will be faster!
If a new region is added to the named. conf file, you need to execute
# Rndc reload // reload the configuration file to make it take effect
Test: Add a forward resolution area.
Define the region and region file in nemd. conf.
Zone "v1.com "{
Type master
File "v1.com. Zone ";
};
Define the v1.com. Zone region File
@ In SOA v1.com. Root (
2004081201; Serial
36000; refresh
7200; retry
1 W; expire
1D); TTL
In NS ns.v1.com. // ns.v1.com. Can be abbreviated as ns.
In MX 10 mail.v1.com. // mail.v1.com. Can be abbreviated as mail.
In a 192.168.0.100
NS in a 192.168.0.200
WWW in a 192.168.0.100
Mail in a 192.168.0.100
News in cname www.v1.com. // www.v1.com. Can be abbreviated as WWW
[Root @ happyboy named] # rndc reload
Rndc: 'reload' failed: Failure
[Root @ happyboy named] # More/var/log/messages
SEP 26 21:47:46 happyboy named [1452]: loading configuration from '/etc/named. conf'
SEP 26 21:47:46 happyboy named [1452]:/etc/named. conf: 16: Missing '; 'before' file'
SEP 26 21:47:46 happyboy named [1452]: Reloading configuration failed: Failure
A semicolon (after the master) is dropped when the new domain is defined in named. conf, which causes the configuration file to fail to be reloaded. After modification, the configuration file is normal.
[Root @ happyboy named] # rndc reload
Server reload successful
[Root @ happyboy named] # host v1.com
V1.com has address 192.168.0.100
V1.com mail is handled by 10 mail.v1.com.
Note that the preceding line in NS ns.v1.com. can be changed to two.
In NS @
In a 192.168.0.200 // This indicates that the NS record of the domain name is the same as its @ record, and then its corresponding @ record can be defined later. However, note that @ is omitted from the beginning as above, therefore, this record should not be misplaced to the back
If WWW in a 192.168.0.200 indicates that WWW is omitted.
[Root @ happyboy named] # host-t ns v1.com
V1.com name server ns.v1.com.
[Root @ happyboy named] # host-t a v1.com
V1.com has address 192.168.0.100
[Root @ happyboy named] # host-t soa v1.com
V1.com has SOA record v1.com. root.v1.com. 2004081201 36000 7200 604800
[Root @ happyboy named] # host news.v1.com
News.v1.com is an alias for www.v1.com.
Www.v1.com has address 192.168.0.100
We can see the above test results. In order to allow access in an omitted form in a local region, for example, to access news.v1.com only by entering news, the implementation method is as follows:
[Root @ happyboy named] # echo "Search v1.com">/etc/resolv. conf
[Root @ happyboy named] # More/etc/resolv. conf
Nameserver 127.0.0.1
Search v1.com
[Root @ happyboy named] # host news
News.v1.com is an alias for www.v1.com.
Www.v1.com has address 192.168.0.200
You can write global configuration parameters at the beginning of the region file.
$ TTL 1D // specify the global Lifecycle
$ Orignal v1.com. // Specify the default domain.
========================================================== ==========================================
127.0.0 reverse Region
/Etc/named. conf append
Zone "0.0.127.in-ADDR. Arpa" {// pay attention to the reverse address of the Area Name CIDR block + suffix. in-addr.arpa
Type master;
File "127.0.0.zone ";
};
Compile/var/named/127.0.0.zone;
@ In SOA @ root. localhost. (2004051201 1 H 14 m 1 W 1D) // note that @ here represents the reverse zone name 0.0.127.in-ADDR. ARPA ., root cannot be omitted.
In NS localhost.
1 In PTR localhost. // put the reverse IP address resolved by PTR in front and the host name in the back. The complete number 1 is written as 1.0.0.127.in-ADDR. ARPA.
Test
[Root @ happyboy root] # rndc reload
[Root @ happyboy root] # host 127.0.0.1
1.0.0.127.in-ADDR. Arpa Domain Name Pointer localhost.
[Root @ happyboy root] # Dig-x 127.0.0.1 // This command is equivalent to dig-t ptr 1.0.0.127.in-ADDR. ARPA
; <> Dig 9.4.0 <>-t ptr 1.0.0.127.in-ADDR. ARPA
; Global Options: printcmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 45631
; Flags: qr aa rd ra; query: 1, answer: 1, authority: 1, Additional: 1
; Question Section:
; 1.0.0.127.in-ADDR. ARPA. In PTR
; Answer section:
1.0.0.127.in-ADDR. ARPA. 86400 in PTR localhost.
; Authority section:
0.0.127.in-ADDR. arpa. 86400 in NS localhost.
; Additional section:
Localhost. 86400 in a 127.0.0.1
; Query time: 9 msec
; Server: 127.0.0.1 #53 (127.0.0.1)
; When: Mon Oct 1 14:12:42 2007
; MSG size rcvd: 93
Add a reverse zone/etc/named. conf
Zone "0.168.192.in-ADDR. Arpa "{
Type master;
File "192.168.0.zone ";
};
/Var/named/192.168.0.zone file content:
[Root @ happyboy named] # More 192.168.0.zone
@ In SOA v1.com. root.v1.com .(
2004081201
36000
7200
3600000
86400)
In NS ns.v1.com.
100 in PTR www.v1.com.
100 in PTR ftp.v1.com.
3.0.168.192.in-ADDR. ARPA. In PTR mail.v1.com.
Test:
[Root @ happyboy named] # host 192.168.0.100
100.0.168.192.in-ADDR. Arpa Domain Name Pointer www.v1.com.
100.0.168.192.in-ADDR. Arpa Domain Name Pointer ftp.v1.com.
[Root @ happyboy named] # host 192.168.0.3
3.0.168.192.in-ADDR. Arpa Domain Name Pointer mail.v1.com.
Note: When performing reverse resolution, try not to use the NS record and its reverse record on the same IP address. In this case, unknown errors may occur and no errors may occur, but the query fails.
========================================================== ========================================
Subdomain authorization (that is, NS records in common DNS resolution)
Add two lines to/var/named/v1.com. Zone of the master server
Domain in NS ns. domain (full Syntax: domain.v1.com. In NS ns.domain.v1.com .)
NS. domain in a 192.168.2.1
(Domain in NS domain
In a 192.168.2.1 // You can also simply write these two rows. domain is your NS record, and IP is directed ......)
Configure the BIND server on 192.168.2.1 as follows:
Add a subdomain: domain.v1.com and add the named. conf configuration file:
Zone "domain.v1.com "{
Type maser;
File "domain.v1.com. Zone ";
};
The partition file domain.v1.com. Zone of the subdomain server is as follows:
@ In SOA domain.v1.com. root.domain.v1.com.
(2004081201 36000 7200 3600000 86400)
In NS ns.domain.v1.com.
NS in a 192.168.2.1
WWW in a 192.168.2.100
The test method is the same as that of the master server. Change the DNS in local/etc/resolve. conf to 127.0.0.1. # Host www.domain.v1.com to view the result.
Note: After the correct configuration is completed, the domain.v1.com content authorized to the subdomain server 192.168.2.1 can also be found on the master server 192.168.0.200. However, if the subdomain name is used to search for the parent domain, it still needs to start from the root (.) domain.
Find. What is actually implemented is a recursive query process, and the entire DNS system is originally an authorization process. For more information, see related documents on the network.
========================================================== ========================================================== ============
Secondary Domain Name Server
Purpose: Back up the data of the Primary Domain Name Server. When the primary server fails, it can temporarily work on behalf of the primary server.
Eg: Configure v1.com on the secondary domain
Add this domain to the main configuration file/etc/named. conf.
Zone "v1.com "{
Type slave; // specify the secondary domain
File "v1.com. Zone ";
Masters {192.168.0.200 ;}; // note that the address of the master Domain Name Server is enclosed in braces with spaces before and after the brackets.
};
# Rndc reload // reload the configuration file
Note: This update process needs to write the data obtained from the master server to the named directory "/var/named". Therefore, the named process user must have the write permission on the directory. Otherwise, the above reload process will fail.
If named is run as root user, this problem does not exist. If named is run as named user named group, run # chmod g + w/var/named.
Data synchronization between the master server depends mainly on
@ In SOA localhost. Root (
2004081201; Serial // serial number: Server version management information. The newer the time, the larger the number month. Notify other DNS updates when there is any change.
1 h; refresh // The time at which the secondary server sends a request to the primary server at each interval. The time is determined by this value. If the preceding numbers change, a request is sent for data synchronization.
15 m; retry // The interval before re-communication if the secondary communication fails due to network or other reasons.
1 W; expire // expiration time: the record expires if the master server does not retry or cannot communicate during the defined time.
1D); TTL // minimum life cycle, that is, the life cycle of the region record. It is generally written before SOA to indicate the cache time of the SOA record. The default value is one day (1D)
To achieve
========================================================== ========================================================
Run the named service as a normal user to ensure server security.
A common user needs to write the/var/run directory during execution, which contains the PID file of each process.
[Root @ happyboy root] # ls-LD/var/run
Drwxr-XR-x 6 Root 4096 October 1 13:06/var/run
You can see that other users do not have the write permission for this directory. To ensure security, do not change the/var/run directory. Create an independent PID directory for named and modify the directory permissions as follows:
First, modify named. conf and set the PID-file option value:
Options {
......
PID-file "/var/run/named. PID"; // specify the named. PID directory
};
[Root @ happyboy root] # useradd-S/bin/false-D/dev/null named
[Root @ happyboy root] # id named
Uid = 515 (named) gid = 515 (named) groups = 515 (named)
[Root @ happyboy root] # mkdir/var/run/named
[Root @ happyboy run] # chown named. Named named
[Root @ happyboy run] # chmod 700 named
[Root @ happyboy run] # ls-LD named
Drwx ------ 2 named 4096 October 1 13:17 named
[Root @ happyboy run] # killall-9 named
[Root @ happyboy run] # named-u named // After the permission is changed, run named as named
[Root @ happyboy run] # More/var/log/messages // view the log information and you can see that the named has been started successfully.
[Root @ happyboy run] # ps-uax | grep named
Named 1427 0.1 1.9 7248 5088? S named-u named
[Root @ happyboy run] # which named
/Usr/local/sbin/named
[Root @ happyboy run] # echo "/usr/local/sbin/named-u named">/etc/rc. local // make the named service run as named when the system starts
At the same time, note that if it is run as a secondary server, you need to grant the named user the write permission to the named working directory/var/named. As the master server, it doesn't matter.
Common options for DNS Server Configuration:
Options {
Directory "/var/named"; // The working directory of the server, that is, the location where the database files are stored.
Forwarders {192.168.2.1 :}; // If a domain name cannot be resolved, the request is forwarded to the server, which is generally an external DNS server. If the server cannot be resolved, the root
Allow-transfer {192.168.1.1 ;}; // whether a certain network segment or address is allowed to synchronize data on the server. Generally, the address of the secondary server is specified.
Allow-query {192.168.0/24;}; // The client address or range that can be queried. DNS query requests that are not in this range are rejected, which is specific to the log.
};
Zone "v1.com "{
Type master;
File "v1.com. Zone ";
Allow-transfer {192.168.1.1 ;}; // The meaning is the same as options, but this is valid for this domain
};
Note: the format of the BIND configuration file is very strict, with spaces before and after braces
This is a complete record of my test in the dormitory ....